Two new ransomware-as-service operations emerged this month, with one group claiming to be the successor of DarkSide and REvil, two notorious gangs that disappeared from the scene after the attacks on Colonial Pipeline and Kaseya a couple of months ago.
According to Flashpoint, the operators of the new BlackMatter gang have promised to not strike organizations in sensitive industries, including healthcare, defense, critical infrastructure, and oil and gas.
BlackMatter threat actor registered an account on XSS and Exploit, big Russian-language forums, and announced that they are looking to acquire access to various corporate networks in the US, Australia, Canada, and the UK.
The BlackMatter threat group has just registered an account on various forums, and it seems that they’re looking to acquire access to infected networks in the US, Australia, Canada, and the UK. Their goal seems to be a massive ransomware operation.
According to researchers, the language used by the actor and the amount of money they deposited indicate that they are a collective operator.
“The actor deposited 4BTC (approximately $150,000 USD) into their escrow account. Large deposits on the forum indicate the seriousness of the threat actor,” Flashpoint researchers said in a report. “BlackMatter does not openly state that they are a ransomware collective operator, which technically doesn’t break the rules of the forums, though the language of their post, as well as their goals clearly indicate that they are a ransomware collective operator.”
The group has reportedly started recruiting partners and affiliates through its Jabber server on Exploit. They are said to be looking for seasoned penetration testers and initial access suppliers.
In May, security firm Proofpoint explained a growing trend of how ransomware gangs are buying access to targeted organizations in exchange for a portion of the illicit profits.
Researchers said there are slight indications that BlackMatter is a rebranded REvil. They cite“similar rules around targeting” and the fact that REvil previously used Windows Registry key called “BlackLivesMatter.”
It’s possible that the copycats are intentionally imitating the behavior of REvil in order to gain immediate credibility, Flashpoint said.
South Korean security firm S2W Labs has reported another new gang called Haron, which borrows elements from various recent ransomware variants, including Thanos and the now-phased-out Avaddon.
